“Hi, there. We’ve noticed some suspicious activity on your credit card. Did you purchase four plane tickets from Rio de Janeiro to Paris?”
“No, of course not. I live outside of San Francisco.”
This is a typical credit card fraud inquiry, performed thousands of times per day throughout the United States. When a credit card provider sees an anomalous charge (based on learned behavioral clues) to an account, a representative will reach out to the cardholder, confirm the validity of the charge and then take next steps to keep out the attacker.“No problem. It appears your card has been compromised. We will close the account, reverse the charges and issue you a new card.”
As enterprise security professionals, there is a lot we can learn from this fraud identification paradigm. In 2013, stolen user credentials accounted for more than 76 percent of network intrusions. In 2014 and into 2015, we saw stolen credentials used in breaches at Sony, Home Depot, Goodwill, Anthem Insurance and the U.S. Postal Service, among many others. What if these enterprises had viewed their user credentials the way credit card companies view members’ accounts?
Applying a behavior analytics approach to monitor movement throughout a network helps enterprise security analysts learn and establish normal baselines for each user, just as credit card companies leverage machine-learning technologies to understand buying patterns. A few anomalous clues, for instance a login from the Ukraine and identity switching at an odd time of day, will prompt an analyst to contact the user to determine whether or not his account has been compromised.
If tracking user behavior was as simple as it sounds, why haven’t more security teams implemented this approach? Currently, too many enterprises are pouring their budgets into systems that defend against initial compromise and data exfiltration stages of an attack. What they don’t realize is that these are the two shortest parts of the attack chain, and will not catch the attackers moving laterally through their networks.
Security information and event management (SIEM) is a great first step toward tracking movement through a network, but produces thousands of alerts for analysts to weed through each day. Gartner’s “Market Guide for User Behavior Analytics” offers a great overview of how enterprises can leverage existing SIEM data and enhance it with active directory data to identify suspicious user activity.
Want to hear more about applying the credit fraud paradigm to enterprise security and user behavior intelligence? Vote for Mark Seward to speak on the topic at RSA Conference in April.
Hey, you can also get an in-depth look at Exabeam by clicking the demo button below…